import javax.crypto.Cipher;
import javax.crypto.Mac;
import javax.crypto.spec.IvParameterSpec;
import javax.crypto.spec.SecretKeySpec;
import java.io.*;
import java.nio.charset.StandardCharsets;
import java.security.*;
import java.security.spec.*;
import java.util.*;
import java.util.zip.*;

/**
 * 高级密钥提取器
 * 
 * 新假设：
 * 1. ep解密后的数据可能需要与其他信息组合
 * 2. 密钥可能是 ep + timestamp 或 ep + organization 等的组合
 * 3. 密钥可能是 ep 的某个变换（XOR, reverse等）
 */
public class AdvancedKeyExtractor {
    
    private static final String EP_ENCRYPTED = 
        "qt0AJsNLEfayUx7S15jLfmQvMOpW6JJ+jCoxeXxn676R2OiN6xpLIQWSYe8ETFUF4+AaGrVY1wMCdyUPVaHM0J+8m+q/PUFgbiP3N8xSKQc4lIzzZuckbybYiFuLbEhcblmy162S5B70UJxzB6grhIVpsG/h0uw+JPaS2yTPpPVCiN/SImdOw2g12cun6niAwRZSQktZikzzbjwkRoiO8ehrwlAFJircnT1/1zba2oaGXLc/yU6cM2vWgJdyyoXJF4Mo/5XNBTDT+8yr1hPC5MKHWcTBB/isrRTD5CczInLgXHl48KKz18GkpPM7MML1GHb4pIjfTvu8hv/SLLW0sg==";
    
    private static final String PRIVATE_KEY_PEM = 
        "MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQCz8JyumzBRR1njdxPzCFpqWXrAUBiC4ycTbTDdWdpZkciwiXU5s/OxF5i7l+Hvwc9Ggjph/PKo7PpWhxZpzyEGpd6yVN9jAjJOt23o2TesgK8L/DAMhdJL8gNxKAQumbGF+ebMbcS8jWLxvDAqpmnEW8VdCLEjF6uqOPtcDmIkBF83W6oaeu32DzTr/NS16sUGQKxlflo9qPOl7VtcIsbR52klKK4uIyY23tWCouiyG84c/Uit+PleD5EYUGEu3p7IAAG5uJNzeUd0UjZDhy6x7ue+kGgcCmCNQ4zSS/bQHMknalwqJUvUSxtIf8dq+/D78m7d4Zt9n9ZD27t4Z2jHAgMBAAECggEAAr15RVdrpvE1NzeLADpyVghCzEbr+KJI6AzTn6tMneyQZ8/QDy7kWSAI3WJ0uFf1Nhepl/BoKZZiQYsRFk9nK1i/SWvtcu6HoZc9fzw/ksrq333ZpXcsOqfW0ZRQa/0/LNEfaKGLS2vDw/afrSaXmbvkB4SoXeZwYMk5Wq+FYxL/alrNpg/lzdvBlsCsTDA0G2RZrUVaO5yRTLRisBU+i8yORgnGkEwWvKpZYSFogCHSiYHiNXFy//C+sYWlK7DjmG8/+krKhqBRRfdeg7LFThHQpbEGTtueD57jw0PCo2yr6dqTvW9Qys+aWVNJk7RHNaI0yBFKWPadaHi3/olzkQKBgQDmz/FDpztS0fjKDIOjgDyE76Z6dRFenmKJM1eOFt+MniY6/vi4ylU51/Etm4k6dNJ1MVBoFfyT9X0U/4k7GNNUfIxMCJztUgY6EaCCt+09wk8pIvmOlRCmtxGwvmVC4nJVgUj3XJQ+wseblAkkW0+IuT3GKX0CdKFMU4q9aucLYwKBgQDHk3rQ8Ae4ci4oj+MehRI29SNpcXG6OHbrZ2EdsgqiFC1o/qv0269jtmCP7IqkGMdhTQrVetTHjZNZJH2bvUZ4o/0YT2+TTFPIkTb2/a0txUTBTKrbnAdXh/iPFZAGvBROEDN0MNKo/vGAfi0K836DeTyBIaYongm66Rn6pwnUTQKBgBveVaougfoxAhIbSrWuISCH8xjsE6nSA+G/Aj5Uwq8u1TzgVlWxkHLIgQVZt0sImfSufJ/kr7eJt42WgRJSoAmedC4mCBSbh8bxI+lEne+MC5TS9UDi/Ly0c/1cL8vQna93ScEcO4YMbJ97U1NBdyvx+eR4U/C89lDJ8YGHa9gzAoGAQ6sYsHFCXOKyDeTDoFyEUYgKqrzhT7/HaofR4Oy2OEBZKUl4anx2WnvC/+m3FG6mY7JoovuT29mABXCe+khR9aO8tBpy/WGa4t2B4nse1e8WIehp4i5kOuSKfZFVFUN+Kv3JRHMtakmO/v9JLHZlBhT8U9hh61GygOJ6gYdTiN0CgYAFz9iPy/xqLOUwiTNp3ImzhdZo9ol3Qlr9CfMWMFHqRA5AyYvly9ZzxTpUCpSA+qz6OXqAjJ0bhGQxW2KHpmcTyNGOPPca2vCaW8Mb1NTQueXpUBqX7alIkrRjUUyULteLb8FtyYl7mR3TVIu3FoO5anNwDZ+2y7R9WUEiOzY3NA==";
    
    private static final String DATA_ENCRYPTED = 
        "wHBy2LDIay6WCgEybO8bw/5OxmVd4N++OJpwr/Tgjw+TA8iZ4HAy4bN8UWtwmeGz+dqU/zX6myCireq+q465rqUqpXLhma2aEPqTaNvUTv/Y71kVpkMBkgrjMnVkIi/iBV5eKsrTPfLWO8bt0mSbLM8ghswC2m2YRInkqWXHrc8Nw0JsNjwCllOUdtwe3NuIx8oQuQ2fqj1G3g3xMp6B4sWBNAo+SjTNuKnS4chvbaD3RYnGvSLyNYu+sqbKeRNofCwVn0lVrjCAGtC9d5nqhFiGw0vWksPfmCRn7vRsl7LnqcXb+Fal/hhREBsaRJdMrst3vOEeQI6pt3RGKZ3VOsliNziKbLiNnXp2zY2fin32okAFwIOczPgeQA1yAM4FCnuT9FYAMn5ecAOY7WFhJPcOqVThy0giCJrBzpIzEHXTin+BWBO1PR8wMzBqpf6us9mhBZGzu40mzVN34xXK646aMr8f2DcD9yGO20v5icEz3OUcAeayMq+YKmBoypmvQUnaGa8pjr7RfvvajY+7pu6QHqRAQ3NLY1KjIoT3PKjabb7owQ1Txw5+Ajfjen7VEeF/Dq03nPMtNOpqD3tCdWDHWir+akJcEPtPzK4Bo2K3FrLBZt2igZD6/04jtwoAojHibKqUM1Rj5h2iijH65eAU1XKTpqDPNtcP5lwa1bFNV+GvuzHM+N4gcoxiELhQeG7xiUcsZrJvadkDO2z+If9vLkXTSdMKrqozUjLRapyXpULcVL8negHnj+2vKZVdoGiDhXlm23XDFjLY91ZqX2eGfGNmpJxftl83N6q4dyXpzD2gR/chHfm0CukVlL8P8aPAfEDcAsyQETc5oVLzetGVSkGBbQl+axZu8U2Ap9CXaTi1b2VcI3he19nvgG8XEFnwP6Tbicm5PDDsiRjo2MRqfuPLWkcSHTmBlS6w8yrzAvth9x/bBLg8XLs8M/B/dKSfOa9sbptfTMmEuuhWbnqCyqnFSUt8lsFlcUbJdK02TcMbd789pANnrKTTfFeOUehu5XReHng4DfV7f6boQmJPnZfwuR8qFwp7vwme235RTloktlkQu/2QFl2LmCv+/8Za43dEdFba9Ae6I1p+50zunyIjGTE6/9RT+g/zgagzgV/qDDSM5VF6E2Ic62W/KkpfSPMHAk5Jwg0LlsSMnFXYCynZoDZ5M8s62V15VaEII3s/6wPCu4lba/BxPanRtw60EVsvrJ7B0mnG+hcW8AGVeG1ZBIhgPH887/bY+05b0MnSkhjlrys8GKSaukVbtnrLJmjePt+LdLe6tH2NTwxjbHhJR028ZWaQKvdC5BD2hRflDMBPKL68D6YJ2bitqnKKdEqYHdCMXtOXh68XUqwfkoF3phQtYHyrqF4Wsgukf3/gAlt/yF0dXFTIUzoDTc34MEAaLFENVFDt4PUnYw2SRT8i/bhi3tcavu6Hnjs=";
    
    private static final String TN_ENCRYPTED = 
        "BMWDCPVx97y8KsnGiff6u4lmEogvgO30LtR/QvfGyqQWadycCGkbGhL7jCKvJTHmlK0k+fDR0XKq8U2IINpo0+aiWg8+nwaXQofOsilfXgDzG0DK9WJuwfcOrzGUHBn4yGVXDj+SUklPWbq0fojYGLYendkSnSLYTzeYIusMyZ3HD2djXyUvekKz0cp39JgrD/Ovj2Nrwn4ffPHcIXgSjpd02QXn4LNb4/7q465mfS2oQ5fRqiRMcnxpUhSD3Ty15bXVKJpPVqlqpM+tcUcXVV4g7ggOux361BsPius8as1vd7wuK44EOJ56MJeATqROjECur2bWdftoWydjfZj5sw==";
    
    private static final String ORGANIZATION = "qvdTr7A9k1DIU04ha4eP";
    private static final String APP_ID = "default";
    private static final long TIMESTAMP = 1761287286183L;
    
    private static String bytesToHex(byte[] bytes) {
        StringBuilder sb = new StringBuilder();
        for (byte b : bytes) {
            sb.append(String.format("%02x", b));
        }
        return sb.toString();
    }
    
    private static byte[] hexToBytes(String hex) {
        int len = hex.length();
        byte[] data = new byte[len / 2];
        for (int i = 0; i < len; i += 2) {
            data[i / 2] = (byte) ((Character.digit(hex.charAt(i), 16) << 4)
                                 + Character.digit(hex.charAt(i+1), 16));
        }
        return data;
    }
    
    private static boolean tryDecrypt(byte[] key, byte[] iv, byte[] ciphertext, String keySource) {
        if (key.length != 32) {
            return false;
        }
        
        try {
            SecretKeySpec keySpec = new SecretKeySpec(key, "AES");
            IvParameterSpec ivSpec = new IvParameterSpec(iv);
            Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
            cipher.init(Cipher.DECRYPT_MODE, keySpec, ivSpec);
            byte[] decrypted = cipher.doFinal(ciphertext);
            
            // 解压
            Inflater inflater = new Inflater(true);
            inflater.setInput(decrypted);
            ByteArrayOutputStream baos = new ByteArrayOutputStream();
            byte[] buffer = new byte[1024];
            while (!inflater.finished()) {
                int count = inflater.inflate(buffer);
                baos.write(buffer, 0, count);
            }
            byte[] decompressed = baos.toByteArray();
            String result = new String(decompressed, StandardCharsets.UTF_8);
            
            if (result.length() > 10 && result.contains("{")) {
                System.out.println("\n🎉🎉🎉 找到正确的密钥！🎉🎉🎉");
                System.out.println("=".repeat(80));
                System.out.println("密钥来源: " + keySource);
                System.out.println("密钥内容: " + bytesToHex(key));
                System.out.println("IV: " + bytesToHex(iv));
                System.out.println("=".repeat(80));
                System.out.println("\n解密后的data内容:");
                System.out.println(result);
                System.out.println("\n=".repeat(80));
                return true;
            }
        } catch (Exception e) {
            // 失败，继续
        }
        return false;
    }
    
    /**
     * 尝试使用tn字段的前16字节作为密钥的一部分
     */
    private static void tryTNBasedKeys() {
        System.out.println("\n" + "=".repeat(80));
        System.out.println("假设：tn的IV可能与密钥有关");
        System.out.println("=".repeat(80));
        
        try {
            // 解密ep
            byte[] epBytes = Base64.getDecoder().decode(EP_ENCRYPTED);
            byte[] privateKeyBytes = Base64.getDecoder().decode(PRIVATE_KEY_PEM);
            PKCS8EncodedKeySpec keySpec = new PKCS8EncodedKeySpec(privateKeyBytes);
            KeyFactory keyFactory = KeyFactory.getInstance("RSA");
            PrivateKey privateKey = keyFactory.generatePrivate(keySpec);
            
            Cipher rsaCipher = Cipher.getInstance("RSA/ECB/NoPadding");
            rsaCipher.init(Cipher.DECRYPT_MODE, privateKey);
            byte[] epDecrypted = rsaCipher.doFinal(epBytes);
            
            // 提取ep[1:33]作为基础
            byte[] epKey = Arrays.copyOfRange(epDecrypted, 1, 33);
            
            // 提取tn的IV
            byte[] tnBytes = Base64.getDecoder().decode(TN_ENCRYPTED);
            byte[] tnIv = Arrays.copyOf(tnBytes, 16);
            
            // 提取data的IV和密文
            byte[] dataBytes = Base64.getDecoder().decode(DATA_ENCRYPTED);
            byte[] dataIv = Arrays.copyOf(dataBytes, 16);
            byte[] dataCiphertext = Arrays.copyOfRange(dataBytes, 16, dataBytes.length);
            
            System.out.println("ep[1:33]: " + bytesToHex(epKey));
            System.out.println("tn IV:    " + bytesToHex(tnIv));
            System.out.println("data IV:  " + bytesToHex(dataIv));
            
            // 尝试1: ep + tn的IV（前16字节）
            byte[] key1 = new byte[32];
            System.arraycopy(tnIv, 0, key1, 0, 16);
            System.arraycopy(tnIv, 0, key1, 16, 16);
            if (tryDecrypt(key1, dataIv, dataCiphertext, "tn IV 重复两次")) return;
            
            // 尝试2: data IV + tn IV
            byte[] key2 = new byte[32];
            System.arraycopy(dataIv, 0, key2, 0, 16);
            System.arraycopy(tnIv, 0, key2, 16, 16);
            if (tryDecrypt(key2, dataIv, dataCiphertext, "data IV + tn IV")) return;
            
            // 尝试3: tn IV + data IV
            byte[] key3 = new byte[32];
            System.arraycopy(tnIv, 0, key3, 0, 16);
            System.arraycopy(dataIv, 0, key3, 16, 16);
            if (tryDecrypt(key3, dataIv, dataCiphertext, "tn IV + data IV")) return;
            
            // 尝试4: 对tn IV进行哈希
            MessageDigest sha256 = MessageDigest.getInstance("SHA-256");
            byte[] key4 = sha256.digest(tnIv);
            if (tryDecrypt(key4, dataIv, dataCiphertext, "SHA-256(tn IV)")) return;
            
            // 尝试5: 对data IV进行哈希
            sha256 = MessageDigest.getInstance("SHA-256");
            byte[] key5 = sha256.digest(dataIv);
            if (tryDecrypt(key5, dataIv, dataCiphertext, "SHA-256(data IV)")) return;
            
            // 尝试6: 对tn IV + data IV进行哈希
            sha256 = MessageDigest.getInstance("SHA-256");
            sha256.update(tnIv);
            sha256.update(dataIv);
            byte[] key6 = sha256.digest();
            if (tryDecrypt(key6, dataIv, dataCiphertext, "SHA-256(tn IV + data IV)")) return;
            
            System.out.println("❌ 未找到正确密钥");
            
        } catch (Exception e) {
            e.printStackTrace();
        }
    }
    
    /**
     * 尝试使用ep[1:33]的各种变换
     */
    private static void tryEPTransformations() {
        System.out.println("\n" + "=".repeat(80));
        System.out.println("尝试对ep[1:33]进行各种变换");
        System.out.println("=".repeat(80));
        
        try {
            // 解密ep
            byte[] epBytes = Base64.getDecoder().decode(EP_ENCRYPTED);
            byte[] privateKeyBytes = Base64.getDecoder().decode(PRIVATE_KEY_PEM);
            PKCS8EncodedKeySpec keySpec = new PKCS8EncodedKeySpec(privateKeyBytes);
            KeyFactory keyFactory = KeyFactory.getInstance("RSA");
            PrivateKey privateKey = keyFactory.generatePrivate(keySpec);
            
            Cipher rsaCipher = Cipher.getInstance("RSA/ECB/NoPadding");
            rsaCipher.init(Cipher.DECRYPT_MODE, privateKey);
            byte[] epDecrypted = rsaCipher.doFinal(epBytes);
            
            // 提取ep[1:33]
            byte[] epKey = Arrays.copyOfRange(epDecrypted, 1, 33);
            
            // 提取data的IV和密文
            byte[] dataBytes = Base64.getDecoder().decode(DATA_ENCRYPTED);
            byte[] dataIv = Arrays.copyOf(dataBytes, 16);
            byte[] dataCiphertext = Arrays.copyOfRange(dataBytes, 16, dataBytes.length);
            
            System.out.println("原始 ep[1:33]: " + bytesToHex(epKey));
            
            // 变换1: 反转
            byte[] reversed = new byte[32];
            for (int i = 0; i < 32; i++) {
                reversed[i] = epKey[31 - i];
            }
            if (tryDecrypt(reversed, dataIv, dataCiphertext, "ep[1:33] 反转")) return;
            
            // 变换2: 与data IV进行XOR
            byte[] xored = new byte[32];
            for (int i = 0; i < 32; i++) {
                xored[i] = (byte) (epKey[i] ^ dataIv[i % 16]);
            }
            if (tryDecrypt(xored, dataIv, dataCiphertext, "ep[1:33] XOR data IV")) return;
            
            // 变换3: 使用ep[33:65]
            byte[] epKey2 = Arrays.copyOfRange(epDecrypted, 33, 65);
            System.out.println("尝试 ep[33:65]: " + bytesToHex(epKey2));
            if (tryDecrypt(epKey2, dataIv, dataCiphertext, "ep[33:65]")) return;
            
            // 变换4: 使用ep的其他部分
            for (int offset = 0; offset <= epDecrypted.length - 32; offset += 8) {
                byte[] keySlice = Arrays.copyOfRange(epDecrypted, offset, offset + 32);
                if (tryDecrypt(keySlice, dataIv, dataCiphertext, "ep[" + offset + ":" + (offset+32) + "]")) return;
            }
            
            System.out.println("❌ 未找到正确密钥");
            
        } catch (Exception e) {
            e.printStackTrace();
        }
    }
    
    /**
     * 尝试HMAC派生
     */
    private static void tryHMACDerivation() {
        System.out.println("\n" + "=".repeat(80));
        System.out.println("尝试使用HMAC派生密钥");
        System.out.println("=".repeat(80));
        
        try {
            // 解密ep
            byte[] epBytes = Base64.getDecoder().decode(EP_ENCRYPTED);
            byte[] privateKeyBytes = Base64.getDecoder().decode(PRIVATE_KEY_PEM);
            PKCS8EncodedKeySpec keySpec = new PKCS8EncodedKeySpec(privateKeyBytes);
            KeyFactory keyFactory = KeyFactory.getInstance("RSA");
            PrivateKey privateKey = keyFactory.generatePrivate(keySpec);
            
            Cipher rsaCipher = Cipher.getInstance("RSA/ECB/NoPadding");
            rsaCipher.init(Cipher.DECRYPT_MODE, privateKey);
            byte[] epDecrypted = rsaCipher.doFinal(epBytes);
            
            byte[] epKey = Arrays.copyOfRange(epDecrypted, 1, 33);
            
            byte[] dataBytes = Base64.getDecoder().decode(DATA_ENCRYPTED);
            byte[] dataIv = Arrays.copyOf(dataBytes, 16);
            byte[] dataCiphertext = Arrays.copyOfRange(dataBytes, 16, dataBytes.length);
            
            // HMAC-SHA256
            Mac hmac = Mac.getInstance("HmacSHA256");
            
            // 尝试1: HMAC(epKey, "shumei")
            SecretKeySpec hmacKey1 = new SecretKeySpec(epKey, "HmacSHA256");
            hmac.init(hmacKey1);
            byte[] key1 = hmac.doFinal("shumei".getBytes(StandardCharsets.UTF_8));
            if (tryDecrypt(key1, dataIv, dataCiphertext, "HMAC(epKey, 'shumei')")) return;
            
            // 尝试2: HMAC(epKey, organization)
            hmac = Mac.getInstance("HmacSHA256");
            hmac.init(hmacKey1);
            byte[] key2 = hmac.doFinal(ORGANIZATION.getBytes(StandardCharsets.UTF_8));
            if (tryDecrypt(key2, dataIv, dataCiphertext, "HMAC(epKey, organization)")) return;
            
            // 尝试3: HMAC(epKey, dataIv)
            hmac = Mac.getInstance("HmacSHA256");
            hmac.init(hmacKey1);
            byte[] key3 = hmac.doFinal(dataIv);
            if (tryDecrypt(key3, dataIv, dataCiphertext, "HMAC(epKey, dataIv)")) return;
            
            System.out.println("❌ 未找到正确密钥");
            
        } catch (Exception e) {
            e.printStackTrace();
        }
    }
    
    public static void main(String[] args) {
        System.out.println("=".repeat(80));
        System.out.println("高级密钥提取器");
        System.out.println("=".repeat(80));
        
        // 方法1: 尝试tn相关的密钥
        tryTNBasedKeys();
        
        // 方法2: 尝试ep的各种变换
        tryEPTransformations();
        
        // 方法3: 尝试HMAC派生
        tryHMACDerivation();
        
        System.out.println("\n" + "=".repeat(80));
        System.out.println("分析完成");
        System.out.println("=".repeat(80));
        System.out.println("\n结论：");
        System.out.println("密钥不在ep中以简单形式存在，也不是简单的派生。");
        System.out.println("密钥很可能是SO内部动态生成的，建议使用Frida在运行时捕获。");
    }
}



